Okta Fixes Login Bypass Flaw Tied To Lengthy Usernames 6
Identity management firm Okta said Friday it has patched a critical authentication bypass vulnerability that affected customers using usernames longer than 52 characters in its AD/LDAP delegated authentication service.
The flaw, introduced on July 23 and fixed October 30, allowed attackers to authenticate using only a username if they had access to a previously cached key. The bug stemmed from Okta's use of the Bcrypt algorithm to generate cache keys from combined user credentials. The company switched to PBKDF2 to resolve the issue and urged affected customers to audit system logs.
The flaw, introduced on July 23 and fixed October 30, allowed attackers to authenticate using only a username if they had access to a previously cached key. The bug stemmed from Okta's use of the Bcrypt algorithm to generate cache keys from combined user credentials. The company switched to PBKDF2 to resolve the issue and urged affected customers to audit system logs.
Amateurs (Score:1)
This is a 2005 era bug.
Re: (Score:2)
This is a 2005 era bug.
Seriously! How did the idea of hashing username + password with a hash function that truncates the input get pass any sort of security review, not alone testing?
Why wasn't this picked-up in testing? (Score:3)
It's not about the length... (Score:2)
ForThoseWonderingHowLongA52CharUserNameIsHereYouGo69
Re: It's not about the length... (Score:1)
Either limit usernames in both front end and back end, or accept that some users will enter more than you guess they should.
Your app should be able to handle ANY allowed inputs.
There is no exception to this rule, other than pure unadulterated incompetence.
Say what? (Score:2)